]]>Comment Posted by larsenutah08http://www.asp.net/mvc/overview/security/preventing-open-redirection-attacksMon, 17 Jan 2011 18:02:01 GMT00000000-0000-0000-0000000011579Thank you for showing the codes. It helps me. ]]>Comment Posted by crossmonkhttp://www.asp.net/mvc/overview/security/preventing-open-redirection-attacksTue, 23 Aug 2011 07:51:01 GMT00000000-0000-0000-0000000014014What's this "FormsService" then? Oh, it's a magical class not part of the framework that you've created for this demo....but haven't explained?]]>Comment Posted by ricka6http://www.asp.net/mvc/overview/security/preventing-open-redirection-attacksWed, 26 Oct 2011 14:29:52 GMT00000000-0000-0000-0000000014503crossmonk : What's this "FormsService" then?

No, it's part of the framework, specifically System.Web.Security. In MVC 2, this code is generated for you. See msdn.microsoft.com/ or create a MVC 2 project. It's not used in MVC 3 and higher.

]]>Comment Posted by ANILBABUhttp://www.asp.net/mvc/overview/security/preventing-open-redirection-attacksWed, 01 Aug 2012 02:41:30 GMT00000000-0000-0000-0000000016082What is URL REDIRECTION?How can i use this concept in my .net?

But I don't understand how changed redirect url gets to an ordinary user ?

If a hacker changes return url - it's only changed in his browser, right ?

Did I miss something ?

]]>Comment Posted by ahzzzhttp://www.asp.net/mvc/overview/security/preventing-open-redirection-attacksWed, 31 Oct 2012 16:49:59 GMT00000000-0000-0000-0000000016717I was working on MVC4 and I had Url.IsLocalUrl in MVC3.

Why would you assume that a url starting with HTTP or HTTPS is not a local URL? If I have a site with the login url as store.com/://store.com/cart what happens now?

]]>Comment Posted by liquidthoughtshttp://www.asp.net/mvc/overview/security/preventing-open-redirection-attacksFri, 26 Apr 2013 05:18:13 GMT00000000-0000-0000-0000000018989so http ://store.com/login ? http ://store.com/cart would fail?]]>Comment Posted by dbacherhttp://www.asp.net/mvc/overview/security/preventing-open-redirection-attacksMon, 08 Sep 2014 12:36:24 GMT00000000-0000-0000-0000000033606System.Uri can tell you the DnsSafeName and Port -- as well as the scheme. That works all the way back to .NET 1.0 to extract host, port and scheme for a similar check (and so effectively you're checking against Request.Url, which is already a Uri and conducive to this)

From a security standpoint, you're better off using a cookie or the ASP.NET session where you can defend the return URL, then using a protocol that returns to a uniform page (OAUTH can do this).